Overview

overview

10

Static

static

1

jetsduu7564.exe

windows7-x64

10

jetsduu7564.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2022 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jetsduu7564.exe

  • Size

    222KB

  • MD5

    75dc2f78f5b5c89fbee266137feec698

  • SHA1

    0b2f0dd1cd2909336a6a3f553f7c7e30e4557c1b

  • SHA256

    ca9dc37d5af616843ef202f89a4ce2cef6fbbc3bce92456193af9cc77bea1af0

  • SHA512

    823d6c55719ff22634fa7c3538768e5dbfe65ff9944dda228b541dbaac33d00367c2e8eb2530eb40fcdf11692e96bd5bc91d51348afe2998ef84527462b3f9b4

  • SSDEEP

    3072:WfJSq+ytGIon9KcSMNDd7ul1JUx6edox1vva7m8f4xQ3bWoG5hlYkE83EHduo9IM:MEa0NXUM6QA9dtE8y+pct1v

Score
10/10
formbookje14ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\jetsduu7564.exe
      "C:\Users\Admin\AppData\Local\Temp\jetsduu7564.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\dufjl.exe
        "C:\Users\Admin\AppData\Local\Temp\dufjl.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Users\Admin\AppData\Local\Temp\dufjl.exe
          "C:\Users\Admin\AppData\Local\Temp\dufjl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3756
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:4216
      • C:\Windows\SysWOW64\control.exe
        "C:\Windows\SysWOW64\control.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:936
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\dufjl.exe"
          3⤵
            PID:4808

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\cpaswq.kj
        Filesize

        185KB

        MD5

        e2d0bcb6f272fb13c8d5f4e0fafcd7ef

        SHA1

        705c2f283f217983108d2d14bec2dd05ba84cb97

        SHA256

        cdf8be85aca508ae572693b876b9f3daacf2cf6e80c01534d04b97b61879526e

        SHA512

        c4583b159625f0fe32d02dfe05169f8b54aadc1169498ba6b58ec34d3056432f24cf46532a2aa0acdc717ef821963da4100feeec7083f32672b884ac91deed95

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dufjl.exe
        Filesize

        6KB

        MD5

        74cbafe65a6f4de0cca11172f174b1fd

        SHA1

        515a076a1f3e5ea4290024e8d17a01df8b7569ce

        SHA256

        36c72fdce14ac0b58ca33cc96891c957e819aef91e0fb9ae0ada132105326df0

        SHA512

        0e7bb057721a2317fabfa520a6fac65be461c8ff5f6845a15b04b8914016ab1dcc4ecdc3f7a91c3ce1d4b59b88991e7cb4e03c31a9822f8ed0d4a20a20a1ea94

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dufjl.exe
        Filesize

        6KB

        MD5

        74cbafe65a6f4de0cca11172f174b1fd

        SHA1

        515a076a1f3e5ea4290024e8d17a01df8b7569ce

        SHA256

        36c72fdce14ac0b58ca33cc96891c957e819aef91e0fb9ae0ada132105326df0

        SHA512

        0e7bb057721a2317fabfa520a6fac65be461c8ff5f6845a15b04b8914016ab1dcc4ecdc3f7a91c3ce1d4b59b88991e7cb4e03c31a9822f8ed0d4a20a20a1ea94

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dufjl.exe
        Filesize

        6KB

        MD5

        74cbafe65a6f4de0cca11172f174b1fd

        SHA1

        515a076a1f3e5ea4290024e8d17a01df8b7569ce

        SHA256

        36c72fdce14ac0b58ca33cc96891c957e819aef91e0fb9ae0ada132105326df0

        SHA512

        0e7bb057721a2317fabfa520a6fac65be461c8ff5f6845a15b04b8914016ab1dcc4ecdc3f7a91c3ce1d4b59b88991e7cb4e03c31a9822f8ed0d4a20a20a1ea94

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\szvgcg.vc
        Filesize

        5KB

        MD5

        16f17c0cd30705a753aeb3a307ff26ed

        SHA1

        b910a46922b4e8911638d9295e83f970214df676

        SHA256

        9e292156b1545d54b76eee5c885fe16256cfc2d575a9f235480e66d3e5780677

        SHA512

        5a808bff270ebf1edaa47e702b0f6ce3987cd8d6f141d6a6a36495448d0ccf1f485a2af694588bede83f435815eb7e0245368d00e8464e43c6c4a82f110299ec

        Download Submit
      • memory/936-143-0x0000000000000000-mapping.dmp
        Download
      • memory/936-149-0x0000000001230000-0x000000000125F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/936-148-0x0000000002F60000-0x0000000002FF3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/936-147-0x0000000003230000-0x000000000357A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/936-145-0x0000000001230000-0x000000000125F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/936-144-0x00000000004F0000-0x0000000000517000-memory.dmp
        Filesize

        156KB

        Download
      • memory/3032-142-0x0000000002F20000-0x0000000002FEA000-memory.dmp
        Filesize

        808KB

        Download
      • memory/3032-150-0x0000000008100000-0x000000000826E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3032-151-0x0000000008100000-0x000000000826E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3756-141-0x0000000001700000-0x0000000001714000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3756-140-0x0000000001730000-0x0000000001A7A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3756-139-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3756-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4440-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4808-146-0x0000000000000000-mapping.dmp
        Download